Privacy Law and Policy Reporter
Janine HainesTechnological advances in the latter half of the 20th century have occurred at such a rapid pace and have been accepted with such enthusiasm by the majority of the world's population that many, if not most, people have overlooked the fact that there is a down-side to the burgeoning use of computers, the Internet and other modern high tech paraphernalia. One of those problems is the increasing capacity for, and hence likelihood of, breaches of the rights individuals (as well as corporations) have to privacy. In the past, too few people have recognised this and even fewer have spoken out about it -- and all too often those who have issued warnings have been met with the banal (and erroneous) statement that `if you've got nothing to hide, you've got nothing to fear'.
One of the few people to raise concerns (well in advance of those who saw only the advantages and few of the potential disadvantages inherent in the world's rapturous embrace of new technologies) was Zelman Cowan who argued in 1969 that `proper surveillance over the character and relevance of the information stored by a computer' was necessary if its benefits were not to be outweighed by breaches of privacy. Human nature being what it is, his warning (while apposite) was largely ignored, again at least partly because few people really understood either the concept or the consequences. Several years later, however, the SA Parliament, recognising that `privacy' had to be defined in order to be protected, decided that the term meant protection from `intrusion' into areas such as an individual's personal life and their communications with others.
By 1988, the Federal Government was forced to respond to growing community concerns by passing the Privacy Act 1988 (Cth) -- a piece of legislation which covered most Commonwealth agencies. The 11 Information Privacy Principles in that legislation laid down guidelines for the collection, collation, storage, security, use and disclosure of personal information. Concern about breaches of individual privacy and the need for better protection of personal data had already led to the establishment of the Independent Commission Against Corruption (ICAC) in NSW. Following the release of its reports in 1990 and, in particular, the revelation that the activities which were the subject of that inquiry `were part of a wider trade in confidential [NSW] government information', a meeting was held in Sydney attended by representatives of some of the major record-keeping organisations in Australia such as credit reference bureaus and telecommunications carriers as well as others concerned about the prevention of further breaches of privacy.
That meeting resulted in the formation of the Australian Privacy Charter Council (see <2 PLPR 41>) chaired, until recently, by Justice Michael Kirby. I was elected to take his place when he retired from the position in July. The members of the council committed themselves to putting privacy protection policies in place within their own organisations. They included representatives of several companies whose need and capacity to accumulate large amounts of personal data meant they were particularly vulnerable to both privacy breaches and public concern. Telecom, as it was then, was among them. When the company, by then called Telstra, merged with OTC in 1992, AUSTEL and the Telecommunications Industry Ombudsman assumed the responsibility for overseeing privacy provisions within the industry.
In other words, it is required to analyse the type and source of data collected by Telstra, its dissemination for purposes of providing a service, its accessibility to employees of Telstra and any other practices which have, or could have, an impact on the security of the data and hence the privacy of customers. In particular, it has to determine whether there are sufficient safeguards in place to ensure that the privacy of customer data is properly protected. This external audit is complementary to Telstra's own audit and privacy programs and includes an audit of the security of customers' personal data stored within Telstra's computer system. The findings of that audit are presented to both Telstra management and the Audit Panel and a public report is issued annually.
This has been no mean feat given that Telstra employs over 70,000 people nation-wide as well as hundreds of others in contract positions or associated with its operations in peripheral areas. The independent audit conducted by Price Waterhouse and overseen by the Audit Panel has involved scrutinising the security of customers' personal data stored within Telstra's computer system and is additional to Telstra's own audit and privacy programs. The resulting recommendations have led to Telstra expanding its Privacy Protection Policy by, among other things, limiting the amount of data collected and kept on customers and placing significant restrictions on access to that data within Telstra as well as on disclosure of the information.
The Privacy Audit Panel's terms of reference include:
The Panel is also required to report annually to Telstra's CEO.
Additional procedures such as ensuring that access to customers personal data is limited to authorised personnel on a needs basis and the requirement that confidentiality agreements must be signed, play both a direct and indirect role in privacy protection. Direct because it ensures that customers' personal data are seen by as few employees as possible and indirect because it reinforces to employees the emphasis placed on data privacy protection by the company.
As Privacy Commissioner Kevin O'Connor noted when he released the Human Rights and Equal Opportunity Commission paper, Community Attitudes to Privacy, `Australians want greater control over personal data held by government and business ... [because] ... There is a feeling that control of personal information, particularly on computers, is beyond an individual's power ... and they want to have a say over how it is obtained and used.'
The role of Telstra's Privacy Audit Panel is to ensure that Australia's major telecommunications carrier, already aware of public expectations of them as well as public concerns about both the potential for and the actuality of breaches of privacy in organisations which collect personal data, meets its obligations.
Janine Haines, Chair of Telstra's Privacy Audit Panel, and Chair of the Australian Privacy Charter Council.